[CERT-daily] Tageszusammenfassung - Freitag 22-11-2013

Fri Nov 22 18:10:06 CET 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 21-11-2013 18:00 − Freitag 22-11-2013 18:00
Handler:     Stephan Richter
Co-Handler:  Robert Waldner

*** DNP3 Implementation Vulnerability (Update A) ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01A


*** Facebook Vulnerability Discloses Friends Lists Defined as Private ***
---------------------------------------------
Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110157


*** Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability ***
---------------------------------------------
Topic: Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability
Risk: High
Text: Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product. It could be expl...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110158


*** Instagram for iOS Flattr account security bypass ***
---------------------------------------------
Instagram for iOS could allow a remote attacker to bypass security restrictions, caused by an implementation error when the Instagram for iOS and Flattr are linked. An attacker could exploit this vulnerability by flattring the photos causing the money from the users account to be redirected.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89162


*** Instagram for iOS upload module file upload ***
---------------------------------------------
Instagram for iOS could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89160


*** prettyPhoto Cross-Site Scripting Vulnerability ***
---------------------------------------------
Input appended to the URL after /#!prettyPhoto/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is confirmed in version 3.1.4. Prior versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/55769


*** Security Bulletin: IBM iNotes Cross-Site Scripting Vulnerability (CVE-2013-0595) ***
---------------------------------------------
IBM iNotes versions 8.5.3 and 9.0 contain a cross-site scripting vulnerability. The fix for this issue is available starting in IBM Domino versions 8.5.3 Fix Pack 5 and 9.0.1.
CVE(s): CVE-2013-0595
Affected product(s) and affected version(s):  IBM iNotes 9.0  IBM iNotes 8.5.3 through 8.5.3 Fix Pack 4
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_inotes_cross_site_scripting_vulnerability_cve_2013_0595?lang=en_us


*** VU#893462: Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability ***
---------------------------------------------
Overview Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94).
Description CWE-94: Improper Control of Generation of Code (Code Injection)
---------------------------------------------
http://www.kb.cert.org/vuls/id/893462


*** Dovecot checkpassword-reply Security Bypass Security Issue ***
---------------------------------------------
A security issue has been reported in Dovecot, which can be exploited by malicious, local users to bypass certain security restrictions.
---------------------------------------------
https://secunia.com/advisories/54808